Cloud Computing: What You Don't Know Can Hurt You

Patrick X. Fowler, Esq. Snell & Wilmer LLP Phoenix, Arizona

602.382.6213 | [email protected]

Cloud Computing: What You Don’t Know Can

Hurt You

© 2012 Snell & Wilmer L.L.P 1

Today’s Topics

• What is cloud computing? • Common cloud computing applications • How does it work? • Cloud computing concerns

◦ Data Ownership and Access ◦ Data Location and Security ◦ Data Privacy in the US and EU


What is Cloud Computing?

• Using the internet…

• to access remotely-located computer servers…

• for scalable, on-demand software applications, computing power and data storage…

• that you might pay a fee for, but don’t own.


Common Cloud Applications

• Webmail – Gmail, Hotmail, AOL • Productivity – Microsoft Office 365, GoogleDocs • Data Sharing – Dropbox, GoToMeeting • Data Storage – iCloud, Amazon, Carbonite • Social Media – Facebook, LinkedIn, YouTube • Retailing – Amazon, Apple, eBay • Banking – Chase, Bank of America • Government – www.apps.gov


Most Common Use of the Cloud?

• Social Networking – By Far


“Official” Government Definition

National Institute of Standards and Technology Responsible for developing standards and guidelines for providing information security for all federal gov’t agencies and assets. NIST Special Publication 800-145 (September 2011)


Why Are We Moving to the Cloud?

• It’s much cheaper to rent than to own. ◦ Outsourcing to the cloud reduces corporate data

storage costs by 80%, and requires a smaller IT staff

• It’s more flexible/scalable/elastic. ◦ Quickly expand and contract storage and computing

needs, based on demand. ◦ Faster access to improved technology.

• It’s more secure – in some respects.

◦ Remote, redundant data back-ups in case of disaster


How Does Cloud Computing Work?

• Major cloud providers: ◦ Amazon ◦ Google ◦ Microsoft ◦ Apple

• Major cloud providers have multiple, distant

data centers (i.e. server farms) where data is redundantly stored/processed.


Cloud Data Center Locations

• Amazon: ◦ North America (CA, OR) ◦ EU (Ireland) ◦ Asia (Singapore, Tokyo) ◦ South America (Brazil) ◦ Future: Buried in Siberian permafrost?

• Google: ◦ USA (SC, NC, GA, OK, IA, OR) ◦ Finland, Belgium ◦ Hong Kong, Singapore, Taiwan ◦ Future: Cargo ships powered & cooled by the sea?


How is Data Stored in the Cloud?

Per Google’s web site: • Data is not stored on a single machine or set of

machines; data from all Google customers is distributed amongst a shared infrastructure composed of many computers located across Google’s many data centers.

• Data is chunked and replicated over multiple systems so that no one system is a single point of failure. Data chunks are given random file names and they’re not stored in clear text, so they’re not humanly readable.

Source: http://www.google.com/about/datacenters/inside/data-security.html#


Cloud Computing Concerns

• Data Ownership & Access

• Data Location and Security

• Data Privacy

• What Law Governs?

• E-Discovery Obligations

If possible, your contract with the cloud provider should address these issues.


Data Ownership & Access


Cloud Data Ownership & Access

• Who owns the data once it has been uploaded? ◦ Short Answer: Should not be the cloud provider!

• Who owns the servers where the data is stored? ◦ Is it the party with whom you contracted? A third

party? How many links in the contract chain?

• How often will the data be accessible? ◦ Industry custom is 99.99% of the time.

• What happens if access is interrupted?

◦ Are fee credits provided?


Cloud Data Ownership & Access

• If you terminate the agreement with the cloud provider, what happens to your data? ◦ How long will your data remain on the cloud servers? ◦ Is it then deleted from the cloud provider’s servers?

- Important when dealing with customer data, credit card information, HIPAA data, etc.

• What if the cloud provider goes bankrupt or is shut down by a government? ◦ Example: MegaUpload seized by DOJ in January ’12

• E-discovery obligations?


Data Storage Location &

Security


Data Storage Location & Security

• In what countries are the cloud data centers located that will store your data? ◦ Evaluate the data privacy laws where the data

centers are located. ◦ Consider potential jurisdictional and choice of law

issues.

• Is the data required to be maintained within a certain country? ◦ E.g., Government records, national defense

materials.



• What physical and digital security standards does the cloud provider adhere to? Will it tell you?

• How do they compare to the security procedures used by Amazon, Google and Microsoft?

• Do outside auditors certify the proper storage and use of data by the cloud provider?



• Physical security measures: ◦ Non-descript facilities, restricted physical access,

video surveillance, biometric clearance; ◦ Fire detection and suppression, uninterrupted power

supply, climate and temperature control;

◦ Redundant data storage in different locations;

◦ A business continuity and disaster recovery plan to ensure service is maintained & to recover any data loss.



• Digital security measures: ◦ Is your data securely stored when “at rest” and

securely moved between locations? ◦ Does the cloud provider have rights to access your

data? If so, why?

◦ Is your data stored in aggregate with other

customers? If so, how good is the disaggregation?

◦ How does the cloud provider decommission old storage devices that once held your data?



• What if your data is corrupted, lost or stolen? ◦ Caveat emptor. Let the buyer beware. ◦ Terms of service typically disclaim all warranties and

exclude liability for any damages. • Example:

◦ “WE AND OUR AFFILIATES OR LICENSORS WILL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES (INCLUDING DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE OR DATA), EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES….”


Choose your cloud provider wisely!

• If you have little or no leverage in negotiating terms with the cloud provider… ◦ Is the cloud provider reputable & reliable?

- How transparent is the cloud provider willing to be? - Quality vs. price – you probably get what you pay for. - Is the cost savings worth the risk of data loss/interruption?

◦ What contingency plan do you have if the service fails?

- Separate, independent digital back-up? - Hard copy back-up?

◦ What remedies, if any, do you have against the cloud provider if there is data loss or service failure?


Data Privacy


Data Privacy Issues

• Data in the cloud is subject to different protections than information stored in-house; ◦ Data in the cloud = held by a third-party

• Currently: there is a patchwork of Federal and

State data privacy laws;

• US and EU data privacy rules significantly differ; ◦ EU has more protections and regulations

• US and EU have recently proposed expanded

data privacy regulations.


Data Privacy Issues

• Existing laws can compel disclosure of cloud data to the government. ◦ Electronic Communications Privacy Act (ECPA)

◦ Stored Communications Act (SCA)

◦ USA Patriot Act

- National Security Letters - Foreign Intelligence Surveillance Act (FISA) Warrants

◦ Warrants and subpoenas generally


Data Privacy Issues

• Current rules imposing data security and/or breach notification obligations, including: ◦ Sarbanes-Oxley ◦ Family Educational Rights and Privacy Act (FERPA) ◦ Health Insurance Portability & Accountability Act

(HIPAA) ◦ Health Information Technology for Economic and

Clincal Health (HITECH) Act ◦ Gramm-Leach-Biley Act (GLBA) ◦ FTC Act, Section 5 (for companies that store

customer information on the cloud) ◦ State Laws and Regulations


Data Privacy: New Regulations?

• Significantly expanded data privacy regulation

schemes proposed in early 2012: ◦ White House: Consumer Privacy Bill of Rights

◦ EU: New General Data Protection Regulations


Data Privacy: New Regulations?

White House Proposal – Feb. 2012 On-line Consumer Privacy Bill of Rights Enforceable Codes of Conduct Expanded FTC Role Re Data Privacy Rights Enforcement Increased “Global Interoperability” re various consumer data privacy regs


Proposed “Consumer Privacy Bill of Rights”

• Intended goals are: ◦ Preserve online consumer trust in the internet

economy, ◦ While providing Internet companies with the

regulatory certainty needed to permit innovation in on-line commerce.

• Available on-line: ◦ http://www.whitehouse.gov/sites/default/files/privacy-final.pdf



• Individual Control by consumers of the data collected by companies and how those companies use such data;

• Transparency regarding privacy and security practices;

• Respect for Context to ensure that companies use data consistently with the context in which the consumer provides the data;

• Security in handling personal data; © 2012 Snell & Wilmer L.L.P 29


• Access and Accuracy including the right of consumers to access and correct personal data;

• Focused Collection through reasonable limits on collection and retention by companies of personal data; and

• Accountability to ensure that companies handling data adhere to the Consumer Privacy Bill of Rights.



• The White House proposes voluntary adoption of a binding code of conduct incorporating the privacy principles in the bill of rights…thus making it enforceable under Section 5 of the FTC Act.

• Alternatively, the White House proposes that Congress pass a law incorporating the privacy bill of rights.

• Unlikely that Congress will pass legislation this year.


Proposed EU Data Protection Regulations

Proposed January 25, 2012 Significant expansion of current EU data privacy scheme Data privacy already a fundamental right, per the EU Constitution Potential implications beyond EU borders



• Would apply to almost all data collection and processing activities regarding EU “data subjects” ◦ Would cover controllers and processors located in

the EU ◦ Would also cover controllers and processers

located outside of the EU if they offer goods or services to data subjects in the EU or monitor their behavior

• Increased protections must be assured before consumer data may be moved outside the EU



• Provides increased consumer control of data ◦ With few exceptions, data subjects must give

“informed consent” (generally through an “opt-in” process) before their personal data may be processed;

• Internet users would have “The Right to be Forgotten” ◦ Data subject would be entitled to have personal data

erased, even if the data has been made public! • Available on-line:

http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf





Thank you

Patrick X. Fowler, Esq. Snell & Wilmer LLP Phoenix, Arizona

602.382.6213 | [email protected]


Cloud Computing: What You Don't Know Can Hurt You

Technology

Transcript of Cloud Computing: What You Don't Know Can Hurt You